<?xml version="1.0" encoding="iso-8859-1" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content=
    "application/xhtml+xml; charset=iso-8859-1" />
    <title>
      iptables-1.8.4
    </title>
    <link rel="stylesheet" type="text/css" href="../stylesheets/lfs.css" />
    <meta name="generator" content="DocBook XSL Stylesheets V1.79.1" />
    <link rel="stylesheet" href="../stylesheets/lfs-print.css" type=
    "text/css" media="print" />
  </head>
  <body class="blfs" id="blfs-9.1">
    <div class="navheader">
      <h4>
        Beyond Linux<sup>�</sup> From Scratch <span class="phrase">(System
        V</span> Edition) - Version 9.1
      </h4>
      <h3>
        Chapter&nbsp;4.&nbsp;Security
      </h3>
      <ul>
        <li class="prev">
          <a accesskey="p" href="haveged.html" title="Haveged-1.9.2">Prev</a>
          <p>
            Haveged-1.9.2
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="firewall.html" title=
          "Setting Up a Network Firewall">Next</a>
          <p>
            Setting Up a Network Firewall
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 9.1">Home</a>
        </li>
      </ul>
    </div>
    <div class="sect1" lang="en" xml:lang="en">
      <h1 class="sect1">
        <a id="iptables" name="iptables"></a>iptables-1.8.4
      </h1>
      <div class="package" lang="en" xml:lang="en">
        <h2 class="sect2">
          Introduction to iptables
        </h2>
        <p>
          <span class="application">iptables</span> is a userspace command
          line program used to configure Linux 2.4 and later kernel packet
          filtering ruleset.
        </p>
        <p>
          This package is known to build and work properly using an LFS-9.1
          platform.
        </p>
        <h3>
          Package Information
        </h3>
        <div class="itemizedlist">
          <ul class="compact">
            <li class="listitem">
              <p>
                Download (HTTP): <a class="ulink" href=
                "http://www.netfilter.org/projects/iptables/files/iptables-1.8.4.tar.bz2">
                http://www.netfilter.org/projects/iptables/files/iptables-1.8.4.tar.bz2</a>
              </p>
            </li>
            <li class="listitem">
              <p>
                Download (FTP): <a class="ulink" href=
                "ftp://ftp.netfilter.org/pub/iptables/iptables-1.8.4.tar.bz2">
                ftp://ftp.netfilter.org/pub/iptables/iptables-1.8.4.tar.bz2</a>
              </p>
            </li>
            <li class="listitem">
              <p>
                Download MD5 sum: 9b201107957fbf62709c3d8226239b0d
              </p>
            </li>
            <li class="listitem">
              <p>
                Download size: 688 KB
              </p>
            </li>
            <li class="listitem">
              <p>
                Estimated disk space required: 17 MB
              </p>
            </li>
            <li class="listitem">
              <p>
                Estimated build time: 0.2 SBU
              </p>
            </li>
          </ul>
        </div>
        <h3>
          iptables Dependencies
        </h3>
        <h4>
          Optional
        </h4>
        <p class="optional">
          <a class="xref" href="../basicnet/libpcap.html" title=
          "libpcap-1.9.1">libpcap-1.9.1</a> (required for nfsypproxy
          support), <a class="ulink" href=
          "https://github.com/tadamdam/bpf-utils">bpf-utils</a> (required for
          Berkely Packet Filter support), <a class="ulink" href=
          "https://netfilter.org/projects/libnfnetlink/">libnfnetlink</a>
          (required for connlabel support), and <a class="ulink" href=
          "https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack"</a>
          (required for connlabel support)
        </p>
        <p class="usernotes">
          User Notes: <a class="ulink" href=
          "http://wiki.linuxfromscratch.org/blfs/wiki/iptables">http://wiki.linuxfromscratch.org/blfs/wiki/iptables</a>
        </p>
      </div>
      <div class="kernel" lang="en" xml:lang="en">
        <h2 class="sect2">
          <a id="iptables-kernel" name="iptables-kernel"></a>Kernel
          Configuration
        </h2>
        <p>
          A firewall in Linux is accomplished through the netfilter
          interface. To use <span class="application">iptables</span> to
          configure netfilter, the following kernel configuration parameters
          are required:
        </p>
        <pre class="screen">
<code class=
"literal">[*] Networking support  ---&gt;                                          [CONFIG_NET]
      Networking Options  ---&gt;
        [*] Network packet filtering framework (Netfilter) ---&gt;       [CONFIG_NETFILTER]
          [*] Advanced netfilter configuration                        [CONFIG_NETFILTER_ADVANCED]
          Core Netfilter Configuration ---&gt;
            &lt;*/M&gt; Netfilter connection tracking support               [CONFIG_NF_CONNTRACK]
            &lt;*/M&gt; Netfilter Xtables support (required for ip_tables)  [CONFIG_NETFILTER_XTABLES]
            &lt;*/M&gt; LOG target support                                  [CONFIG_NETFILTER_XT_TARGET_LOG]
          IP: Netfilter Configuration ---&gt;
            &lt;*/M&gt; IP tables support (required for filtering/masq/NAT) [CONFIG_IP_NF_IPTABLES]</code>
</pre>
        <p>
          Include any connection tracking protocols that will be used, as
          well as any protocols that you wish to use for match support under
          the "Core Netfilter Configuration" section.
        </p>
      </div>
      <div class="installation" lang="en" xml:lang="en">
        <h2 class="sect2">
          Installation of iptables
        </h2>
        <div class="admon note">
          <img alt="[Note]" src="../images/note.png" />
          <h3>
            Note
          </h3>
          <p>
            The installation below does not include building some specialized
            extension libraries which require the raw headers in the
            <span class="application">Linux</span> source code. If you wish
            to build the additional extensions (if you aren't sure, then you
            probably don't), you can look at the <code class=
            "filename">INSTALL</code> file to see an example of how to change
            the <em class="parameter"><code>KERNEL_DIR=</code></em> parameter
            to point at the <span class="application">Linux</span> source
            code. Note that if you upgrade the kernel version, you may also
            need to recompile <span class="application">iptables</span> and
            that the BLFS team has not tested using the raw kernel headers.
          </p>
        </div>
        <p>
          Install <span class="application">iptables</span> by running the
          following commands:
        </p>
        <pre class="userinput">
<kbd class="command">./configure --prefix=/usr      \
            --sbindir=/sbin    \
            --disable-nftables \
            --enable-libipq    \
            --with-xtlibdir=/lib/xtables &amp;&amp;
make</kbd>
</pre>
        <p>
          This package does not come with a test suite.
        </p>
        <p>
          Now, as the <code class="systemitem">root</code> user:
        </p>
        <pre class="root">
<kbd class="command">make install &amp;&amp;
ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml &amp;&amp;

for file in ip4tc ip6tc ipq xtables
do
  mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;
  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
done</kbd>
</pre>
      </div>
      <div class="commands" lang="en" xml:lang="en">
        <h2 class="sect2">
          Command Explanations
        </h2>
        <p>
          <em class="parameter"><code>--disable-nftables</code></em>: This
          switch disables building nftables compat.
        </p>
        <p>
          <em class="parameter"><code>--enable-libipq</code></em>: This
          switch enables building of <code class="filename">libipq.so</code>
          which can be used by some packages outside of BLFS.
        </p>
        <p>
          <em class=
          "parameter"><code>--with-xtlibdir=/lib/xtables</code></em>: Ensure
          all <span class="application">iptables</span> modules are installed
          in the <code class="filename">/lib/xtables</code> directory.
        </p>
        <p>
          <code class="option">--enable-nfsynproxy</code>: This switch
          enables installation of <span class="application">nfsynproxy</span>
          SYNPROXY configuration tool.
        </p>
        <p>
          <span class="command"><strong>ln -sfv
          ../../sbin/xtables-legacy-multi
          /usr/bin/iptables-xml</strong></span>: Ensure the symbolic link for
          <span class="command"><strong>iptables-xml</strong></span> is
          relative.
        </p>
      </div>
      <div class="content" lang="en" xml:lang="en">
        <h2 class="sect2">
          Contents
        </h2>
        <div class="segmentedlist">
          <div class="seglistitem">
            <div class="seg">
              <strong class="segtitle">Installed Programs:</strong>
              <span class="segbody">ip6tables, ip6tables-restore,
              ip6tables-save, iptables, iptables-restore, iptables-save,
              iptables-xml, nfsynproxy (optional) and xtables-multi</span>
            </div>
            <div class="seg">
              <strong class="segtitle">Installed Libraries:</strong>
              <span class="segbody">libip4tc.so, libip6tc.so, libipq.so,
              libiptc.so, and libxtables.so</span>
            </div>
            <div class="seg">
              <strong class="segtitle">Installed Directories:</strong>
              <span class="segbody">/lib/xtables and
              /usr/include/libiptc</span>
            </div>
          </div>
        </div>
        <div class="variablelist">
          <h3>
            Short Descriptions
          </h3>
          <table border="0" class="variablelist">
            <colgroup>
              <col align="left" valign="top" />
              <col />
            </colgroup>
            <tbody>
              <tr>
                <td>
                  <p>
                    <a id="iptables-prog" name=
                    "iptables-prog"></a><span class="term"><span class=
                    "command"><strong>iptables</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is used to set up, maintain, and inspect the tables of IP
                    packet filter rules in the Linux kernel.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="iptables-restore" name=
                    "iptables-restore"></a><span class="term"><span class=
                    "command"><strong>iptables-restore</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is used to restore IP Tables from data specified on
                    STDIN. Use I/O redirection provided by your shell to read
                    from a file.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="iptables-save" name=
                    "iptables-save"></a><span class="term"><span class=
                    "command"><strong>iptables-save</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is used to dump the contents of an IP Table in easily
                    parseable format to STDOUT. Use I/O-redirection provided
                    by your shell to write to a file.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="iptables-xml" name="iptables-xml"></a><span class=
                    "term"><span class=
                    "command"><strong>iptables-xml</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is used to convert the output of <span class=
                    "command"><strong>iptables-save</strong></span> to an XML
                    format. Using the <code class=
                    "filename">iptables.xslt</code> stylesheet converts the
                    XML back to the format of <span class=
                    "command"><strong>iptables-restore</strong></span>.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="ip6tables" name="ip6tables"></a><span class=
                    "term"><span class=
                    "command"><strong>ip6tables*</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    are a set of commands for IPV6 that parallel the iptables
                    commands above.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="nfsynproxy" name="nfsynproxy"></a><span class=
                    "term"><span class=
                    "command"><strong>nfsynproxy</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    (optional) configuration tool. SYNPROXY target makes
                    handling of large SYN floods possible without the large
                    performance penalties imposed by the connection tracking
                    in such cases.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="xtables-multi" name=
                    "xtables-multi"></a><span class="term"><span class=
                    "command"><strong>xtables-multi</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a binary that behaves according to the name it is
                    called by.
                  </p>
                </td>
              </tr>
            </tbody>
          </table>
        </div>
      </div>
      <p class="updated">
        Last updated on 2020-02-26 08:20:10 -0800
      </p>
    </div>
    <div class="navfooter">
      <ul>
        <li class="prev">
          <a accesskey="p" href="haveged.html" title="Haveged-1.9.2">Prev</a>
          <p>
            Haveged-1.9.2
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="firewall.html" title=
          "Setting Up a Network Firewall">Next</a>
          <p>
            Setting Up a Network Firewall
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 9.1">Home</a>
        </li>
      </ul>
    </div>
  </body>
</html>
